Home > mailing lists

Re: [GENERAL] Prepared statement performance... - Mailing list pgsql-jdbc

From	Curt Sampson
Subject	Re: [GENERAL] Prepared statement performance...
Date	October 16, 2002 05:06:37
Msg-id	Pine.NEB.4.44.0210161502470.8619-100000@angelic.cynic.net Whole thread Raw
In response to	Re: [GENERAL] Prepared statement performance... ("Peter Kovacs" <peter.kovacs@sysdata.siemens.hu>)
List	pgsql-jdbc

Tree view

On Mon, 14 Oct 2002, Peter Kovacs wrote:

> I do not clearly understand what the problem is with someone typing in
> "foo'; DROP TABLE bar;" into the "Name" field on your web form.

If you do just a dumb string concatination, it can insert arbitrary
commands into your conversation with the postgres database. E.g.,
your code does this to construct the query:

    "SELECT id FROM users WHERE name = '" + name + '"'"

and name, taken directly from the input field, is

    foo'; DROP TABLE users; SELECT 'foo

Your query ends up being:

    SELECT id FROM users WHERE name = 'foo'; DROP TABLE users; SELECT 'foo';

cjs
--
Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974   http://www.netbsd.org
    Don't you know, in this new Dark Age, we're all light.  --XTC

pgsql-jdbc by date:

From: "jonerf1"
Date: 16 October 2002, 03:29:03
Subject: blob load in 7.2.3

From: Jean-Christian Imbeault
Date: 16 October 2002, 06:34:56
Subject: getXXX(): Null Pointer Exception

Re: [GENERAL] Prepared statement performance... - Mailing list pgsql-jdbc

Previous

Next